On Wed, 2003-10-01 at 05:16, Herbert Xu wrote: > Hi: > > I have received bug reports saying that SNAT does not work when the > packets have to be SNATed before they can enter an IPSEC tunnel > under the 2.6 IPSEC stack. > > The problem is that SNAT can only be performed in POSTROUTING while > IPSEC policy lookups are done at the same time as the route lookup. > > Has anyone else thought about this problem? > > I have considered introducing a new NAT chain between filtering > and routing where you can place SNAT rules into. Of course, the > same thing applies to reverse DNAT rules as well. > > Any opinions on this would be appreciated. > > Thanks, This is precisely the problem I pointed out a month or so back but I never got any response on it. Here's my take on it. NAT is not an elegant standard. Its a hack to provide a temporary fix for the IPv4 address space crunch. On the other hand, IPSec is a good standard and is also mandatory for IPv6. Hence the focus should be on IPSec much more than on NAT. Now, NAT-Traversal encapsulates IPSec packets in UDP. Can we do an IPSec - NAT-Traversal combo in order to solve this problem ? Maybe have a POSTROUTING_NATTRAVERSAL table that will be automatically filled with entries based on active IPSec tunnels or policies ? Not a NetFilter expert like you guys are, but I know enough to be dangerous :) -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye2 at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
